Fix Date-Time Parsing in GetDurationFromNowInSeconds for Multiple Formats

src/client/Microsoft.Identity.Client/OAuth2/MsalTokenResponse.cs

@@ -249,10 +249,21 @@ internal static MsalTokenResponse CreateFromiOSBrokerResponse(Dictionary<string,
 
         internal static MsalTokenResponse CreateFromManagedIdentityResponse(ManagedIdentityResponse managedIdentityResponse)
         {
-            ValidateManagedIdentityResult(managedIdentityResponse);
+            // Validate that the access token is present. If it is missing, handle the error accordingly.
+            if (string.IsNullOrEmpty(managedIdentityResponse.AccessToken))
+            {
+                HandleInvalidExternalValueError(nameof(managedIdentityResponse.AccessToken));
+            }
 
-            long expiresIn = DateTimeHelpers.GetDurationFromNowInSeconds(managedIdentityResponse.ExpiresOn);
+            // Parse and validate the "ExpiresOn" timestamp, which indicates when the token will expire.
+            long expiresIn = DateTimeHelpers.GetDurationFromManagedIdentityTimestamp(managedIdentityResponse.ExpiresOn);
+
+            if (expiresIn <= 0)
+            {
+                HandleInvalidExternalValueError(nameof(managedIdentityResponse.ExpiresOn));
+            }
 
+            // Construct and return an MsalTokenResponse object with the necessary details.
             return new MsalTokenResponse
             {
                 AccessToken = managedIdentityResponse.AccessToken,
@@ -275,20 +286,6 @@ internal static MsalTokenResponse CreateFromManagedIdentityResponse(ManagedIdent
             return null;
         }
 
-        private static void ValidateManagedIdentityResult(ManagedIdentityResponse response)
-        {
-            if (string.IsNullOrEmpty(response.AccessToken))
-            {
-                HandleInvalidExternalValueError(nameof(response.AccessToken));
-            }
-
-            long expiresIn = DateTimeHelpers.GetDurationFromNowInSeconds(response.ExpiresOn);
-            if (expiresIn <= 0)
-            {
-                HandleInvalidExternalValueError(nameof(response.ExpiresOn));
-            }
-        }
-
         internal static MsalTokenResponse CreateFromAppProviderResponse(AppTokenProviderResult tokenProviderResponse)
         {
             ValidateTokenProviderResult(tokenProviderResponse);

src/client/Microsoft.Identity.Client/Utils/DateTimeHelpers.cs

@@ -74,6 +74,31 @@ public static long GetDurationFromNowInSeconds(string unixTimestampInFuture)
             return expiresOnUnixTimestamp - CurrDateTimeInUnixTimestamp();
         }
 
+        public static long GetDurationFromManagedIdentityTimestamp(string dateTimeStamp)
+        {
+            if (string.IsNullOrEmpty(dateTimeStamp))
+            {
+                return 0;
+            }
+
+            // First, try to parse as Unix timestamp (number of seconds since epoch)
+            // Example: "1697490590" (Unix timestamp representing seconds since 1970-01-01)
+            if (long.TryParse(dateTimeStamp, out long expiresOnUnixTimestamp))
+            {
+                return expiresOnUnixTimestamp - DateTimeHelpers.CurrDateTimeInUnixTimestamp();
+            }
+
+            // Try parsing as ISO 8601 
+            // Example: "2024-10-18T19:51:37.0000000+00:00" (ISO 8601 format)
+            if (DateTimeOffset.TryParse(dateTimeStamp, null, DateTimeStyles.RoundtripKind, out DateTimeOffset expiresOnDateTime))
+            {
+                return (long)(expiresOnDateTime - DateTimeOffset.UtcNow).TotalSeconds;
+            }
+
+            // If no format works, throw an MSAL client exception
+            throw new MsalClientException("invalid_timestamp_format", $"Failed to parse date-time stamp from identity provider. Invalid format: '{dateTimeStamp}'.");
+        }
+
         public static DateTimeOffset? DateTimeOffsetFromDuration(long? duration)
         {
             if (duration.HasValue)

tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHelpers.cs

@@ -113,9 +113,21 @@ public static string GetBridgedHybridSpaTokenResponse(string spaAccountId)
             ",\"id_token_expires_in\":\"3600\"}";
         }
 
-        public static string GetMsiSuccessfulResponse(int expiresInHours = 1)
+        public static string GetMsiSuccessfulResponse(int expiresInHours = 1, bool useIsoFormat = false)
         {
-            string expiresOn = DateTimeHelpers.DateTimeToUnixTimestamp(DateTime.UtcNow.AddHours(expiresInHours));
+            string expiresOn;
+
+            if (useIsoFormat)
+            {
+                // Return ISO 8601 format
+                expiresOn = DateTime.UtcNow.AddHours(expiresInHours).ToString("o", CultureInfo.InvariantCulture);
+            }
+            else
+            {
+                // Return Unix timestamp format
+                expiresOn = DateTimeHelpers.DateTimeToUnixTimestamp(DateTime.UtcNow.AddHours(expiresInHours));
+            }
+
             return
           "{\"access_token\":\"" + TestConstants.ATSecret + "\",\"expires_on\":\"" + expiresOn + "\",\"resource\":\"https://management.azure.com/\",\"token_type\":" +
           "\"Bearer\",\"client_id\":\"client_id\"}";

tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ManagedIdentityTests.cs

@@ -806,10 +806,13 @@ public async Task ManagedIdentityCacheTestAsync()
         }
 
         [DataTestMethod]
-        [DataRow(1, false)]
-        [DataRow(2, false)]
-        [DataRow(3, true)]
-        public async Task ManagedIdentityExpiresOnTestAsync(int expiresInHours, bool refreshOnHasValue)
+        [DataRow(1, false, false)] // Unix timestamp
+        [DataRow(2, false, false)] // Unix timestamp
+        [DataRow(3, true, false)]  // Unix timestamp
+        [DataRow(1, false, true)]  // ISO 8601
+        [DataRow(2, false, true)]  // ISO 8601
+        [DataRow(3, true, true)]   // ISO 8601
+        public async Task ManagedIdentityExpiresOnTestAsync(int expiresInHours, bool refreshOnHasValue, bool useIsoFormat)
         {
             using (new EnvVariableContext())
             using (var httpManager = new MockHttpManager(isManagedIdentity: true))
@@ -827,7 +830,7 @@ public async Task ManagedIdentityExpiresOnTestAsync(int expiresInHours, bool ref
                 httpManager.AddManagedIdentityMockHandler(
                     AppServiceEndpoint,
                     Resource,
-                    MockHelpers.GetMsiSuccessfulResponse(expiresInHours),
+                    MockHelpers.GetMsiSuccessfulResponse(expiresInHours, useIsoFormat),
                     ManagedIdentitySource.AppService);
 
                 AcquireTokenForManagedIdentityParameterBuilder builder = mi.AcquireTokenForManagedIdentity(Resource);
@@ -838,6 +841,8 @@ public async Task ManagedIdentityExpiresOnTestAsync(int expiresInHours, bool ref
                 Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
                 Assert.AreEqual(ApiEvent.ApiIds.AcquireTokenForSystemAssignedManagedIdentity, builder.CommonParameters.ApiId);
                 Assert.AreEqual(refreshOnHasValue, result.AuthenticationResultMetadata.RefreshOn.HasValue);
+                Assert.IsTrue(result.ExpiresOn > DateTimeOffset.UtcNow, "The token's ExpiresOn should be in the future.");
+
             }
         }
 

tests/Microsoft.Identity.Test.Unit/UtilTests/DateTimeHelperTests.cs

@@ -0,0 +1,82 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.Utils;
+using Microsoft.Identity.Test.Common;
+using Microsoft.Identity.Test.Common.Core.Helpers;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+namespace Microsoft.Identity.Test.Unit.UtilTests
+{
+    [TestClass]
+    public class DateTimeHelperTests
+    {
+        [TestMethod]
+        public void TestGetDurationFromNowInSecondsForUnixTimestampOnly()
+        {
+            // Arrange
+            var currentTime = DateTimeOffset.UtcNow;
+
+            // Example 1: Valid Unix timestamp (seconds since epoch)
+            long currentUnixTimestamp = DateTimeHelpers.CurrDateTimeInUnixTimestamp(); // e.g., 1697490590
+            string unixTimestampString = currentUnixTimestamp.ToString(CultureInfo.InvariantCulture);
+            long result = DateTimeHelpers.GetDurationFromNowInSeconds(unixTimestampString);
+            Assert.IsTrue(result >= 0, "Valid Unix timestamp (seconds) failed");
+
+            // Example 2: Unix timestamp in the future
+            string futureUnixTimestamp = (currentUnixTimestamp + 3600).ToString(); // 1 hour from now
+            result = DateTimeHelpers.GetDurationFromNowInSeconds(futureUnixTimestamp);
+            Assert.IsTrue(result > 0, "Future Unix timestamp failed");
+
+            // Example 3: Unix timestamp in the past
+            string pastUnixTimestamp = (currentUnixTimestamp - 3600).ToString(); // 1 hour ago
+            result = DateTimeHelpers.GetDurationFromNowInSeconds(pastUnixTimestamp);
+            Assert.IsTrue(result < 0, "Past Unix timestamp failed");
+
+            // Example 4: Empty string (should return 0)
+            string emptyString = string.Empty;
+            result = DateTimeHelpers.GetDurationFromNowInSeconds(emptyString);
+            Assert.AreEqual(0, result, "Empty string did not return 0 as expected.");
+        }
+
+        [TestMethod]
+        public void TestGetDurationFromNowInSecondsFromManagedIdentity()
+        {
+            // Arrange
+            var currentTime = DateTimeOffset.UtcNow;
+
+            // Example 1: Unix timestamp (seconds since epoch)
+            string unixTimestampInSeconds = DateTimeHelpers.DateTimeToUnixTimestamp(currentTime); // e.g., 1697490590
+            long result = DateTimeHelpers.GetDurationFromManagedIdentityTimestamp(unixTimestampInSeconds);
+            Assert.IsTrue(result >= 0, "Unix timestamp (seconds) failed");
+
+            // Example 2: ISO 8601 format
+            string iso8601 = currentTime.ToString("o", CultureInfo.InvariantCulture); // e.g., 2024-10-18T19:51:37.0000000+00:00
+            result = DateTimeHelpers.GetDurationFromManagedIdentityTimestamp(iso8601);
+            Assert.IsTrue(result >= 0, "ISO 8601 failed");
+
+            // Example 3: Common format (MM/dd/yyyy HH:mm:ss)
+            string commonFormat1 = currentTime.ToString("MM/dd/yyyy HH:mm:ss", CultureInfo.InvariantCulture); // e.g., 10/18/2024 19:51:37
+            result = DateTimeHelpers.GetDurationFromManagedIdentityTimestamp(commonFormat1);
+            Assert.IsTrue(result >= 0, "Common Format 1 failed");
+
+            // Example 4: Common format (yyyy-MM-dd HH:mm:ss)
+            string commonFormat2 = currentTime.ToString("yyyy-MM-dd HH:mm:ss", CultureInfo.InvariantCulture); // e.g., 2024-10-18 19:51:37
+            result = DateTimeHelpers.GetDurationFromManagedIdentityTimestamp(commonFormat2);
+            Assert.IsTrue(result >= 0, "Common Format 2 failed");
+
+            // Example 5: Invalid format (should throw an MsalClientException)
+            string invalidFormat = "invalid-date-format";
+            Assert.ThrowsException<MsalClientException>(() =>
+            {
+                DateTimeHelpers.GetDurationFromManagedIdentityTimestamp(invalidFormat);
+            }, "Invalid format did not throw an exception as expected.");
+        }
+    }
+}